Kevin2600 · 2016/05/10 10:43

0 x00 preface

Now the IOT RFID system has been fully integrated into our life. From building access control to Apple Pay. It can be said that its figure is everywhere. Many netizens have also shared their experience of RFID system security testing. But mostly based on access cards and Mifare-Classic. There are actually many other categories in the Mifare family. Examples include mifare-desfire and mifare-Ultralight, the main character of this article.

Vancouver’s transit company Translink began phasing out its aging print-out ticketing system in 2015. And fully promoted an RFID-based ticketing system called Compass. In order to facilitate the needs of different passengers, this system uses Mifare-desfire as a monthly ticket card. At the same time also to the Mifare-Ultralight as a one-time ticket. The low cost of Mifare-Ultralight makes it the best choice for tickets. But just to save money, its security is near zero. Its natural disability opens the door for attackers. This paper will take the light rail RFID ticketing system as an example to explore the RFID system with you.

0 x01 Mifare Ultralight profile

Mifare-Ultralight is one of the many Mifare series produced by NXP. It also works at 13.56 Mhz. But unlike its big brother, the Mifare-Classic, it doesn’t use any encryption and its data content is freely accessible. Because of its low cost, many occasions that require one-time tickets will be their first choice. Take the 2006 World Cup. The data structure is very straightforward. A total of 64 bytes. Divided into 16 areas, each area is 4 bytes. Blocks 4-15 are usually used for data storage, storing time; Entrance and platform name, etc. It is worth mentioning that this area can be arbitrarily read and write without authentication.

UID area

Its UID region is not writable by default. It has nine bytes, but only seven bytes are used as uids. For example, in 04 e2 a8 C6 ba e2 43 80 9b, only 04 e2 a8 ba e2 43 80 is identified as the UID. C6 and 9b exist as Check Bytes.

OTP area

The aforementioned Ultralight has near zero security because it has this One Time Programmable zone. The entire partition is 4 bytes and the default value is 00 00 00 00. It is usually used as a counter for a ticket. The OR operation on each bits cannot be reversed by 01. Tickets are invalid until 00 are all used up. However, the OTP can also be bypassed by enabling Lock Byte. Because the Compass system does not use OTP, this test was not done.

0x02 Combat Test – Single Fare Reset Attack

It is necessary to state in advance that pre-paid tickets are used for the entire test. The Reset attack was only tested at the entrance of the station, and there was no actual fare evasion. So don’t worry about the tragedy of being invited to tea. And I also oppose the misuse of such technology to do bad things… :p

In fact, the whole attack process is very simple. Because the Data area can be arbitrarily read and write without authentication. So we can dump the raw data of Compass tickets beforehand. After the ticket expires, the original data will be written back to the ticket using the mobile APP. The whole attack process is surprisingly simple, right? And from Translink’s point of view, what are the defense options? In fact, NXP has long provided 3DES encryption of MIFARE Ultralight C. I wonder why Translink didn’t consider this at the beginning of the system design?

0 x03 summary

Finally, I would like to thank my brothers for their help throughout the research process. At the same time, I think system security hardening, sometimes depends on their own attitude to the problem. When something goes wrong, you try to hide it instead of actively fixing it. And hope that as few people know how to do it as possible. This is a very unwise attitude.

There is strong contempt for TransLink, a transportation company in Vancouver, which knowingly ignored the system after the vulnerability was exposed. And he was like, “You bite me” when the reporter was talking to you. May the luck be with you… FXXK YOU… Now we all know how to hack you..

0x04 References

http://www.nxp.com/documents/data_sheet/MF0ICU1.pdf
https://www.youtube.com/watch?v=Czvn4L1r6f4 (Building safe NFC system –30c3)
http://www.cbc.ca/news/canada/british-columbia/compass-ticket-hack-1.3535955
http://bc.ctvnews.ca/security-flaw-lets-smartphone-users-hack-transit-gates-1.2852464
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/september/ultrareset-bypassing-nfc-access-control-w ith-your-smartphone/

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Dog playing radio – Vancouver Skycar RFID ticketing system

0 x00 preface

0 x01 Mifare Ultralight profile

UID area

OTP area

0x02 Combat Test – Single Fare Reset Attack

0 x03 summary

0x04 References

Dog playing radio – Vancouver Skycar RFID ticketing system

0 x00 preface

0 x01 Mifare Ultralight profile

UID area

OTP area

0x02 Combat Test – Single Fare Reset Attack

0 x03 summary

0x04 References

Related Posts

Check for unresolved problems in seconds

Answer all your questions about your cell phone

Programmers got together three years after graduation and found their salaries were several times different